You are here

NEW YORK – Congresswoman Carolyn B. Maloney (NY-12) outlined priorities for cybersecurity of the financial system today at Symphony’s “Innovate 2016” conference. During her remarks, the Congresswoman noted that the risks posed by cyberattacks “have grown significantly in the past few years” and that in order to address these new dangers, we, as a country, must recognize that they go beyond businesses issues, but must be addressed as a policy issue due to operational risk, disruption of financial activity and threats to customer privacy. Rep. Maloney is the Ranking Member of the House Financial Services Subcommittee on Capital Markets and Government Sponsored Enterprises, as well as a senior member of the House Oversight and Government Reform Committee.

Congresswoman Maloney pointed out that cybersecurity was first formally identified as a “potential systemic risk to the financial system” in the Financial Stability Oversight Council’s 2015 annual report and that this risk is not going away without intervention not just from the private-sector but from the government as well. Rep. Maloney noted that the unique nature of cybersecurity risks pose difficult challenges for those seeking to protect the financial system from such attacks.

“Cybersecurity is different from other risks because we often don’t know who the attackers are — or what their motivations are. Attackers can be competitors trying to steal confidential information to gain a business advantage, or criminals trying to steal credit card numbers to sell to the highest bidder.

“But they can also be hackers with a political agenda, who are trying to steal information that they believe can advance their cause. These hackers may not be motivated by money at all — and as a result, the cyber-attacks they carry out may be embarrassing, but may not cause any financial losses to the company that was hacked.

“Finally, we are increasingly seeing sophisticated cyber-attacks being carried out by nation-states — with Russia being the most prominent example, but North Korea not far behind,” said Congresswoman Maloney.

Background

Congresswoman Maloney has been in discussions with the Federal Reserve Bank of New York regarding the February 2016 heist of $81 million from the Bangladesh central bank’s account at the bank and has subsequently spoken to U.S. banking regulators, the Federal Reserve, the Federal Deposit Insurance Corporation and the Office of the Comptroller of the Currency, about their actions to address such cybersecurity issues.

You can see the Congresswoman’s letter to the NY Fed here, the Fed’s response here, the letter to the regulators here, as well as their response here.

Rep. Maloney’s remarks, as prepared for delivery, can be found below.

Thank you for inviting me to join you today at this wonderful conference.

I’d like to talk to you about cybersecurity and the financial system, which I know is a topic of great interest to all of you. But I’d like to give you the policymaker’s perspective on cybersecurity, because policymakers — by necessity — look at cybersecurity from a different perspective than private market actors.

The risks that cyber-attacks pose to the financial system have grown significantly in the past few years. To illustrate how quickly these risks have grown, consider the number of times the word “cyber” appears in the FSOC’s annual reports.

For those who don’t know, the Financial Stability Oversight Council — or “FSOC,” as we call it in Washington — is the body that Congress created in the 2010 Dodd-Frank Act to monitor systemic risks to the U.S. financial system, and it consists of the heads of all the major financial regulators.

By law, the FSOC must publish an annual report that outlines the emerging threats to U.S. financial stability.

In 2011, when the FSOC published its first annual report, the word “cyber” was mentioned only 3 times.

In 2012, “cyber” was mentioned 10 times.

In 2013, that number grew to 17, and in 2014 it grew again to 28.

In the 2015 annual report, cybersecurity took a quantum leap forward — the number of times that “cyber” was mentioned doubled from 28 to 56, and cybersecurity was formally identified as a potential systemic risk to the financial system.

In FSOC’s 2016 annual report, which was published this past June, the number of times “cyber” was mentioned increased again to 66, and cybersecurity was again listed as a potential systemic risk.

I think it’s safe to say that cybersecurity is going to remain a threat to our financial system for a long, long time.

That’s why this conference and companies like Symphony are so important. Symphony was founded, in part, because financial institutions realized that some cybersecurity problems are fundamentally business problems, and Symphony provided a private-sector solution.

This leads me to the main question I’d like to address today: When does a cybersecurity problem for financial institutions become a policy issue?

This is a difficult question to answer, in part because of the unique nature of cybersecurity risks.

Cybersecurity is different from other risks because we often don’t know who the attackers are — or what their motivations are.

Attackers can be competitors trying to steal confidential information to gain a business advantage, or criminals trying to steal credit card numbers to sell to the highest bidder.

But they can also be hackers with a political agenda, who are trying to steal information that they believe can advance their cause. These hackers may not be motivated by money at all — and as a result, the cyber-attacks they carry out may be embarrassing, but may not cause any financial losses to the company that was hacked.

Finally, we are increasingly seeing sophisticated cyber-attacks being carried out by nation-states — with Russia being the most prominent example, but North Korea not far behind.

While not directed at financial institutions, the recent hack of the Democratic National Committee is the most prominent example of a cyber-attack carried out by a nation-state, for reasons that appear to be entirely political in nature.

So given the unique nature of cybersecurity threats, when does this become a policy issue for financial institutions?

I would suggest that cybersecurity becomes a policy issue for financial institutions in three different situations.

First, cybersecurity becomes a policy issue when it poses an operational risk to regulated financial institutions, such as banks.

In other words, cyber-attacks that can cause real, financial losses to financial institutions such as banks require a policy response. That’s because banks are insured by the FDIC — and therefore, by the taxpayers.

If a cyber-attack can cause a bank to become insolvent — or significantly contribute to a bank’s failure — then it is taxpayers who are on the hook. It is a policymaker’s job to ensure that banks have controls in place to protect against cyber-attacks that can cause financial losses to banks, and therefore taxpayers.

Second, cybersecurity becomes a policy issue when it threatens to disrupt day-to-day financial activity, or threatens to undermine confidence in the financial system.

The most prominent example of this was the hack of the Bangladesh central bank earlier this year, in which hackers successfully stole $81 million dollars out of the Bangladesh central bank’s account at the New York Fed.

This story could have been straight out of Hollywood. The hackers breached Bangladesh Bank’s security system, stole the bank’s SWIFT credentials, and then used those stolen credentials to send 35 fraudulent payment orders to the New York Fed through the SWIFT system for international payments.

The hackers tried to transfer nearly $1 billion dollars out of Bangladesh Bank’s account, but because of a fluke and quick thinking by a New York Fed employee, 30 of the 35 payment orders were halted. The fluke was that the street name in the address of one of the payment orders was the same as the name of a sanctioned vessel — which triggered an automatic review for possible sanctions violations.

Of course, this was a false positive — the payment order had nothing to do with the sanctioned vessel. But it halted all 30 of the payment orders in the second batch, and when the New York Fed looked at those 30 payment orders, they noticed that something didn’t look right, and refused to process the orders until they got confirmation from Bangladesh.

But the most interesting part of the story is what happened to the payment orders in the first batch that didn’t trigger a sanctions review, and were processed automatically. One of those payment orders was reversed, but four payment orders for $81 million dollars got through.

The $81 million dollars went to four accounts in the Philippines, and were then transferred to casinos in the Philippines — and the money was then cashed out in casino chips.

And because the Philippine casino industry is not subject to anti-money laundering regulations, there is no record of who cashed the chips out.

It was one of the largest and most brazen bank heists in history — and it all happened electronically. It was a cyber-heist, pure and simple.

The investigations into this cyber-heist are still very much ongoing, and the FBI is now involved — so we may still catch the cyber-attackers who were behind this.

Now, I’m telling you this story not only because it’s a heist worthy of Hollywood. It also illustrates how a cybersecurity risk can threaten to undermine confidence in the financial system — and therefore disrupt normal, day-to-day financial activities such as sending money across borders.

And that’s because the attackers in the Bangladesh case were able to send the fake payment orders through SWIFT — which, as you all know, is the financial messaging system through which banks send international payment orders.

The attackers didn’t breach SWIFT’s security system, but once they had breached Bangladesh Bank’s systems and stolen their SWIFT credentials, the attackers were able to use those credentials to send fully-authenticated payment orders through the SWIFT system.

In other words, the only reason the New York Fed viewed those payment orders as legitimate is because they were fully authenticated by SWIFT.

To be clear, as far as we know, SWIFT itself has never been breached. But there have now been several reported cases of banks being hacked, and having their SWIFT credentials stolen.

If these hacks become more common, then people could start to lose confidence in the integrity of payment orders sent through SWIFT — and basic international payments could be disrupted, causing severe economic damage.

I have been actively engaged with the bank regulators in the U.S. on this issue, and with SWIFT as well, and I can tell you that everyone — the regulators, SWIFT, and the banks — is taking this issue very, very seriously.

In fact, just a few weeks ago, the Basel Committee — which includes all the major central banks in the world — released a statement calling these recent hacks “a significant concern for the central banking community,” and announcing a new task force that will look into the cybersecurity of payment systems that involve banks and other financial institutions.

Given the seriousness of the threat, I applaud the Basel Committee for moving forward on this issue.

The third situation in which cybersecurity becomes a policy issue for financial institutions is when customer privacy is compromised.

Financial institutions necessarily store a lot of private, confidential information about their customers. Just your transaction history can tell someone a lot about you — what stores you go to regularly, what you’re interested in, even your travel history.

There is a legitimate policy interest in protecting customers’ privacy, and cyber-attacks can compromise that privacy without causing any financial harm to either the financial institution or the customers.

The House Financial Services Committee, where I am one of the senior Democrats, passed a bill last December that would help address many of these concerns by requiring all companies that handle sensitive financial information for consumers — retailers included — to adopt minimum data security standards.

The bill — which is called the Data Security Act — uses the data security standards that banks are already required to use under the Gramm-Leach-Bliley Act of 1999.

These standards have proven to be very effective. They are flexible, so they can evolve as cyber threats evolve — and they are scalable, so they can work for both small and large businesses.

We know that these standards are not too onerous on small businesses, because we have 17 years of experience with these standards in the banking system.

Believe me, I hear from community banks about regulatory burdens all the time, and I’ve never once heard from community banks that the data security standards are too burdensome.

The bill passed out of committee on a broadly bipartisan basis, so I believe this bill’s prospects are very good in the next Congress. But I hope we can pass it quickly because the stakes are very high.

When you read the news, it can often seem like hackers are always several steps ahead of the rest of us, especially when it comes to our policies. We’re often responding to the latest hack, while the hackers are planning something new.

That’s where all of you come in. A critical piece to this puzzle will be the collaboration between policymakers and the private sector. You are on the front lines, thinking about risk every day but trying to balance risk mitigation with the need to have a viable business that customers can access.

Some of you may have heard of the Financial Services Information Sharing and Analysis Center, or FS-ISAC for short, which is a key forum for policymakers to collaborate with industry on the issue of cybersecurity threat facing the financial sector.

If you haven’t heard of it, I’d encourage you to look into it. It’s a critical resource for policymakers looking for guidance on addressing cybersecurity threats.

I also want to encourage more venues like this one, as a chance for us in government to tell you what we’re working on, and to learn from you.

Now, I’m not going to pretend like a bunch of conferences and committees is going to solve this problem. It’s not. But more and better communication between the private sector and the public sector, and pressure from you on us to act when we need to, is the only way we’re going to have a chance at better mitigating cybersecurity threats.

I want to thank you again for inviting me to this conference, and for being such a gracious audience.

I hope I have provided you with a better sense for how policymakers think about cybersecurity issues and enjoy the rest of this conference.